Krypton turns your iOS device into a WebAuthn/U2F Authenticator: strong, unphishable 2FA.

Overview

Build Status

Krypton turns your iOS device into a WebAuthn/U2F Authenticator: strong, unphishable 2FA.

Krypton implements the standardized FIDO Universal 2nd Factor (U2F) protocol to provide secure, unphishable two-factor authentication on the web, now in the convenient form factor that is your phone.

  • No more mistyping, missing 30 second windows, or waiting endlessly for that SMS.
  • Instant Sign-in: Krypton securely pairs with your computer so that you don't have to touch your phone for each sign-in. Optionally, enable One tap sign-ins for enhanced security.
  • Stops Phishing: SMS and authenticator app codes can easily be phished. Don't let that happen to you. Krypton protects you from phishing.
  • Works with the sites you love: Google, Facebook, Twitter, Dropbox, GitHub and many more.
  • Quickly protect your accounts: Setting up two-factor can be time consuming and repetitive. Just scan once with Krypton.

Install our companion browser extension at: https://krypt.co/start.

Krypton for Developers

Krypton supports developer mode so you can use Krypton as a security key for SSH and PGP private keys in addition to U2F.

Download our command line utility curl https://krypt.co/kr | sh and type kr pair to securely pair Krypton with your computer. Krypton integrates with the ssh command to send signature requests right to your phone. Krypton also makes signing Git commits and tags with PGP easy: run kr codesign to get started.

Zero trust infrastructure

Krypton is built on top of an end-to-end verified and encrypted architecture. This means zero trust. We, Krypt.co, have zero information about keys or where you're authenticating. The keys only live in the Krypton app on your phone.

Learn more about Krypton's security architecture. For more information, check out krypt.co.

Build Krypton

Instructions below only work for macOS

  1. rust
curl https://sh.rustup.rs -sSf | sh
rustup target add aarch64-apple-ios
rustup target add armv7-apple-ios
rustup target add armv7s-apple-ios
rustup target add x86_64-apple-ios
rustup target add i386-apple-ios
rustup update
cargo install cargo-lipo
  1. libtool, autoconf, automake:
brew install libtool
brew install autoconf
brew install automake

Have an Android phone?

The Android implementation is located here.

Security Disclosure Policy

krypt.co follows a 7-day disclosure policy. If you find a security flaw, please send it to [email protected] encrypted to the PGP key with fingerprint B873685251A928262210E094A70D71BE0646732C (grab the full key here). We ask that you delay publication of the flaw until we have published a fix, or seven days have passed.

LICENSE

We are currently working on a new license for Krypton. For now, the code is released under All Rights Reserved.

Comments
  • iOS: Turning off 'Show approved notifications' does not stop Approved notifications

    iOS: Turning off 'Show approved notifications' does not stop Approved notifications

    Not sure what info you need but:

    iPhone 7 iOS 10.3.3 Kryptonite v2.2.0

    I set When to ask for approval? to never and Show approved notifications? to off but still get a constant stream of Approved request from ... SSH Login anytime I interact with my git repo.

    opened by shanewilson 11
  • When using OpenSSH ProxyJump,

    When using OpenSSH ProxyJump, "Allow for 3 hours" only working for jump host

    I'm using the iOS app version 2.1.1, and these for the other apps:

    $ kr --version
    kr version 2.1.2
    
    $ ssh -V
    OpenSSH_7.3p1, LibreSSL 2.4.1
    

    The issue I'm seeing is when I try to connect to an SSH destination through an intermediate "jump host," using a configuration similar to this (edited for confidentiality and to remove (hopefully) irrelevant details):

    Host jump-host
        HostName jumphost.companyname.local
    
    Host destination-host
        Hostname 10.42.0.30
        ProxyJump jump-host
    
    Host *
        PKCS11Provider /usr/local/lib/kr-pkcs11.so
        ProxyCommand /usr/local/bin/krssh %h %p
        IdentityFile ~/.ssh/id_kryptonite
    

    My Kryptonite public key is installed in the authorized_hosts file of both the jump host and the destination host, and I can successfully connect to destination-host with the command ssh destination-host. The problem is that after a recent version upgrade, the "Allow for 3 hours" option in the iOS app only works for the jump host. Here's the sequence of events for a "cold" connection:

    1. I use the command ssh destination-host from a computer paired with the Kryptonite iOS app
    2. The connection to jump-host is initiated, and I'm alerted on my phone to approve of an authentication request from jump-host.companyname.local.
    3. I choose "Allow for 3 hours."
    4. The connection to the jump host is established.
    5. A connection to the destination host is initiated through a jump host tunnel, and and I'm alerted on my phone to approve of an authentication request from unknown host.
    6. I choose "Allow for 3 hours."
    7. The connection to the destination host is established.

    But when I reattempt the connection immediately thereafter:

    1. ssh destination-host
    2. The connection to jump-host is initiated, I'm alerted on my phone that an authentication request from jump-host.companyname.local was automatically approved, and the connection to the jump host is established.
    3. A connection to the destination host is initiated through a jump host tunnel, and and I'm alerted on my phone to approve of an authentication request from unknown host.
    4. I'm once more presented with the phone prompt to allow or reject the authentication request.

    Additional observations:

    • My iOS app's known hosts shows the jump host (jump-host.companyname.local), but not the destination host.
    • When I run a verbose SSH command, I can see the jump host identifying itself by FQDN (jump-host.companyname.local), but the destination host by IP address.
    • The destination host's IP address is in an IPv4 private address range.

    Some possibly relevant debug messages from the ssh client (from a "warm" connection attempt, and edited for confidentiality):

    debug1: Executing proxy command: exec /usr/local/bin/krssh jump-host.companyname.local 22
    
    debug1: Authenticating to jump-host.companyname.local:22 as 'username'
    
    debug1: Host 'jump-host.companyname.local' is known and matches the RSA host key.
    debug1: Found key in /Users/username/.ssh/known_hosts:236
    
    debug1: Offering RSA public key: /Users/username/.ssh/id_kryptonite
    debug1: Server accepts key: pkalg ssh-rsa blen 535
    Kryptonite ▶ Requesting SSH authentication from phone
    Kryptonite ▶ Success. Request Allowed ✔
    debug1: Authentication succeeded (publickey).
    Authenticated to jump-host.companyname.local (via proxy).
    debug1: channel_connect_stdio_fwd 10.20.0.75:22
    debug1: channel 0: new [stdio-forward]
    
    debug1: Authenticating to 10.42.0.30:22 as 'username'
    
    debug1: Offering RSA public key: /Users/username/.ssh/id_kryptonite
    debug1: Server accepts key: pkalg ssh-rsa blen 535
    Kryptonite ▶ Requesting SSH authentication from phone
    Kryptonite ▶ Phone approval required. Respond using the Kryptonite app
    Kryptonite ▶ Success. Request Allowed ✔
    debug1: Authentication succeeded (publickey).
    Authenticated to 10.42.0.30 (via proxy).
    debug1: channel 0: new [client-session]
    debug1: Requesting [email protected]
    debug1: Entering interactive session.
    
    opened by ldcasillas-progreso 9
  • Issue with Google Smart Lock

    Issue with Google Smart Lock

    I can't use Krypton with Google Smart Lock, preventing me from logging in on iOS devices. During the process Smart Lock pops up a notification asking if I want to open Krypton (to handle the U2F bits), so I said "Open App". Krypton shows the authentication request, I accept it, but then instead of popping back into Smart Lock it opens Safari which just results in a 400 Error from Google.

    I also have a bluetooth U2F token from Feitian that I could use but once I've told Smart Lock it can open Krypton I can't stop that from happening, preventing me from using the bluetooth token. Reinstalling Smart Lock didn't help resetting that flow.

    opened by daenney 7
  • "Cannot connect to the Internet"

    For some reason (DHCP slow?) when Krypton is started from a notification while the phone is asleep, a popup sometimes shows up with a "Cannot connect to Internet" message while any other app may access the Internet.

    I suspect Krypton is faster to test the connection than the phone is to obtain an access to the Internet when connected to some enterprise WiFi network.

    It would be no trouble if the popup had a "Try again" button - but unfortunately it had not, only an abort or Settings button to reach the connection settings that need no change.

    Once this popup is closed, there is no immediate option (but kill the SSH request on the host side and restart a new SSH connection) to obtain a new authorisation request to show up on Krypton UI.

    bug 
    opened by eblot 4
  • Source Tree Push notifications

    Source Tree Push notifications

    Hey guys,

    Currently using Krypton on iOS and my Mac for development. I have Krypton tied to my BitBucket account which works great. Finally decided to start up source tree to push a few things and noticed that it is sending dozens of approvals. I know this is technically by design for both Krypton and Source Tree but not sure what I can do to silence this other then using a separate key for Source Tree fullsizeoutput_33c0

    opened by Esity 4
  • Known-host Check Exemption for localhost

    Known-host Check Exemption for localhost

    In my setup, I use a "bastion" (aka SSH jumpbox or proxy) which randomly assigns localhost TCP ports whenever I create a new SSH connection tunneled via an HTTPS WebSocket. For instance, it allows me to connect to a server in a private network when I connect to localhost:12345 where 12345 is a randomly assigned port number.

    For the local SSH agent, I can add StrictHostKeyChecking=no and UserKnownHostsFiles=/dev/null to .ssh/config's Host localhost section, to prevent clutters caused by randomized host:port pairs (even when connecting to the same destination server).

    I'd like to have a simple option to achieve the same effect for localhost in Kryptonite. Also, if this is enabled, all pairs of localhost and random port numbers should be treated as the same target host so that "allow for 3 hours" work with all localhost connections (maybe releated to #63).

    opened by achimnol 3
  • "Allow for 3 hours" no longer working after update

    I updated to 2.1.0 on my macbook last week, and now the Allow for 3 hours option is no longer working, and I'm being asked for every request. I was not notified of any update to the app.

    opened by maximumdata 3
  • badLogBlockHash, try again

    badLogBlockHash, try again

    Not sure if this is a client or a server problem.

    Request failed.
    
    The incoming request was invalid. badLogBlockHash. Please try again
    

    I've been getting this error whenever I use Krypton with Git. It seems to not matter however, I get the regular confirmation push notification after that and everything still works.

    opened by benmoss 2
  • "The incoming request was invalid" if krypton app not open

    👋 Apologies if this is a duplicate, and I really love krypton btw!

    When logging into AWS I see the following error unless I explicitly open the app. EDIT: this is actually happening on all services for me now.

    I've tried re-pairing with the browser but to no avail. Happy to provide any other info if you think it's helpful. screen shot 2019-02-20 at 8 40 14 am

    opened by kingishb 2
  • Unable to pair with Chrome's Krypton Authenticator

    Unable to pair with Chrome's Krypton Authenticator

    Everytime I tried to pair iPhone Krypton App with Krypton Authenticator in the Chrome App, it fails. Android app is on the other hand, succeeds.

    Version: 2.4.2677

    opened by ken5scal 2
  • Pairing with Google Account on macOS Safari doesn't work.

    Pairing with Google Account on macOS Safari doesn't work.

    Pairing with Google Account on Safari 13.1.1 doesn't work, having the app installed on iOS 13.4.1. Notification arrives on the iPhone, I approve it, I get approval notification on macOS but on the google page the pairing doesn't happen. The page says: "Something went wrong. Retry"

    opened by mkexc 1
  • Import Paper Backup Codes

    Import Paper Backup Codes

    image

    I've made paper backup like on the image. Now i want to import it to another phone. How can i do it? I can't find any option in app to input secrets. I think that i should have QR code here to scan in another app.

    opened by gosak 0
  • Krypton iOS needs to be foreground in iOS 14

    Krypton iOS needs to be foreground in iOS 14

    Since I’ve upgraded to iOS 14, I’ve found that I need to have Krypton in the foreground with the phone unlocked to either be able to sign commits or authorize SSH signatures.

    This may be related to know iOS security/privacy measures, but it’s making Krypton substantially less useful for me.

    opened by halostatue 5
  • Can't use signed pubkey

    Can't use signed pubkey

    I'm trying to sign my krypton public key to SSH into a machine which trusts that certificate authority key. I can do so with a non krypton key (just a normal rsa key with the private key stored on my computer), but krypton doesn't seem to be able to authenticate the request when I try to sign my id_krypton.pub key.

    I signed it like this:- ssh-keygen -s ../temp/ca-key -I david -n root -V +1w -z 1 id_krypton.pub

    Krypton on iOS reports:- Request failed The incoming request was invalid/ UnsupportedSSHDigestAlgorithm(). Please try again.

    ssh -vvv reports debug2: sign_and_send_pubkey: using private key "/Users/david/.ssh/id_krypton" for certificate debug3: sign_and_send_pubkey: signing using [email protected]

    It seems that [email protected] is not one of the supported digests (see extension DigestType in Krypton/Keypair+SSHFormat.swift)

    What would be required to support this? Would the phone need a copy of the CA public key?

    opened by ppymdjr 1
  • Does not work in Safari on iOS 13

    Does not work in Safari on iOS 13

    When I try to log in to Github on my iOS device (iOS 13.5.1), the Krypton app does not open. Instead a popup prompts me to connect a security key.

    From reading other issues it seems that this has worked before. (#115, https://krypt.co/blog/posts/use-google-advanced-protection-with-krypton.html#setup-instructions)

    opened by tbuehl 0
Releases(2.5.5)
Owner
krypt.co
Krypton turns your phone into a U2F/FIDO2 authenticator providing unphishable, zero-touch logins without any separate hardware.
krypt.co
A simple way to implement Facebook and Google login in your iOS apps.

Simplicity Simplicity is a simple way to implement Facebook and Google login in your iOS apps. Simplicity can be easily extended to support other exte

Simplicity Mobile 681 Dec 18, 2022
LoginKit is a quick and easy way to add Facebook and email Login/Signup UI to your app.

LoginKit About LoginKit is a quick and easy way to add Facebook and email Login/Signup UI to your app. If you need to quickly prototype an app, create

Icalia Labs 653 Dec 17, 2022
ReCaptcha - Add Google's Invisible ReCaptcha v2 to your project

Add Google's Invisible ReCaptcha v2 to your project. This library automatically handles ReCaptcha's events and retrieves the validation token or notifies you to present the challenge if invisibility is not possible.

Flávio Caetano 250 Dec 5, 2022
A quick and simple way to authenticate an Instagram user in your iPhone or iPad app.

InstagramSimpleOAuth A quick and simple way to authenticate an Instagram user in your iPhone or iPad app. Adding InstagramSimpleOAuth to your project

Ryan Baumbach 90 Aug 20, 2022
A quick and simple way to authenticate a Dropbox user in your iPhone or iPad app.

DropboxSimpleOAuth A quick and simple way to authenticate a Dropbox user in your iPhone or iPad app. Adding DropboxSimpleOAuth to your project CocoaPo

Ryan Baumbach 42 Dec 29, 2021
A quick and simple way to authenticate a Box user in your iPhone or iPad app.

BoxSimpleOAuth A quick and simple way to authenticate a Box user in your iPhone or iPad app. Adding BoxSimpleOAuth to your project CocoaPods CocoaPods

Ryan Baumbach 15 Mar 10, 2021
InstagramLogin allows iOS developers to authenticate users by their Instagram accounts.

InstagramLogin handles all the Instagram authentication process by showing a custom UIViewController with the login page and returning an access token that can be used to request data from Instagram.

Ander Goig 67 Aug 20, 2022
Easy to use OAuth 2 library for iOS, written in Swift.

Heimdallr Heimdallr is an OAuth 2.0 client specifically designed for easy usage. It currently supports the resource owner password credentials grant f

trivago N.V. 628 Oct 17, 2022
OAuth2 framework for macOS and iOS, written in Swift.

OAuth2 OAuth2 frameworks for macOS, iOS and tvOS written in Swift 5.0. ⤵️ Installation ?? Usage ?? Sample macOS app (with data loader examples) ?? Tec

Pascal Pfiffner 1.1k Jan 2, 2023
Swift based OAuth library for iOS

OAuthSwift Swift based OAuth library for iOS and macOS. Support OAuth1.0, OAuth2.0 Twitter, Flickr, Github, Instagram, Foursquare, Fitbit, Withings, L

OAuthSwift 3.1k Jan 3, 2023
SimpleAuth is designed to do the hard work of social account login on iOS

SimpleAuth is designed to do the hard work of social account login on iOS. It has a small set of public APIs backed by a set of "providers"

Caleb Davenport 1.2k Nov 17, 2022
A simple OAuth library for iOS with a built-in set of providers

SwiftyOAuth is a small OAuth library with a built-in set of providers and a nice API to add your owns. let instagram: Provider = .instagram(clientID:

Damien 477 Oct 15, 2022
A simple library to make authenticating tvOS apps easy via their iOS counterparts.

Voucher The new Apple TV is amazing but the keyboard input leaves a lot to be desired. Instead of making your users type credentials into their TV, yo

Riz 516 Nov 24, 2022
FCLAuthSwift is a Swift library for the Flow Client Library (FCL) that enables Flow wallet authentication on iOS devices.

FCLAuthSwift is a Swift library for the Flow Client Library (FCL) that enables Flow wallet authentication on iOS devices. Demo The demo a

Zed 3 May 2, 2022
Swift based OAuth library for iOS and macOS

OAuthSwift Swift based OAuth library for iOS and macOS. Support OAuth1.0, OAuth2.0 Twitter, Flickr, Github, Instagram, Foursquare, Fitbit, Withings, L

OAuthSwift 3.1k Jan 3, 2023
Snow globe framework is delightful / slightly cheese easter egg for christmas season. Turns your awesome app into a snow globe, when user shake the device.

SnowGlobe.framework SnowGlobe.framework its easy to use, open source iOS framework written in swift. It allows you to ad delightful / cheesy Christmas

stringcode 63 Oct 5, 2022
Proof of concept app for trying to integrate passkeys and WebAuthn into Vapor

Vapor Passkey Demo Proof of concept app for trying to integrate passkeys and WebAuthn into Vapor Usage Clone the project, then in Terminal run swift r

Tim Condon 70 Dec 20, 2022
DeckRocket turns your iPhone into a remote for Deckset presentations

DeckRocket DeckRocket turns your iPhone into a remote for Deckset presentations Requirements DeckRocket is built in Swift and relies on Multipeer Conn

JP Simard 398 Nov 22, 2022
Oak is an iOS app built with SwiftUI for managing your 2FA codes

?? ?? OakOTP OakOTP is an iOS app built with SwiftUI for managing your 2FA codes. Supports iPhone & iPad Supports scanning a QR code or entering crede

AlexCatch 23 Nov 29, 2022
M. Bertan Tarakçıoğlu 16 Dec 29, 2022